Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENH:proposals: add in-toto graduation proposal #1162

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

SantiagoTorres
Copy link
Contributor

@SantiagoTorres SantiagoTorres commented Aug 31, 2023

This is a formal proposal for the graduation of the in-toto project.

in-toto, an open-source project that joined CNCF as a sandbox project in August 2019, and incubation in March 2022.
Since then, in-toto has experienced a remarkable degree of adoption within various ecosystems and usecases. These include cases such as GitHub's, Gitlab's and Tekton among others. Due to this, we are confident that in-toto is ready to graduate.

Supporting Documents

link to graduation DD document

Incubation Documents

link to incubation PR
incubation DD

P.S. I was holding back on the former proposal because there were going to be changes to the process, but seeing other projects are moving forward as well I'd rather leave a formal paper trail

@lukehinds
Copy link
Contributor

nb +1 !

@adityasaky
Copy link
Contributor

Very excited to see this happen!

@JustinCappos
Copy link
Contributor

nb +1. This is long overdue!!!

@trishankatdatadog
Copy link
Contributor

+1

giphy

@mnm678
Copy link
Contributor

mnm678 commented Aug 31, 2023

nb +1

@tannerjones4075
Copy link

It is great to see the progress and see the impact of in-toto thus far. Great things to come!

@amye amye added the graduation label Sep 6, 2023
@evan2645
Copy link

evan2645 commented Sep 6, 2023

nb +1 🎉

@joshuagl
Copy link

joshuagl commented Sep 7, 2023

nb +1 🎓

in-toto is not only a great system, it is also a frequently cited inspiration for other systems, defines standard formats that multiple systems implement, and benefits from multiple quality implementations.

@lukpueh
Copy link

lukpueh commented Oct 16, 2023

nb +1

As one of the original in-toto core team members, I can attest that a lot of thought has gone into the design and development of the system. And I am very excited to see its impact grow in the supply chain security ecosystem. Graduation seems appropriate.

@marcelamelara
Copy link

+1 for graduation of in-toto!!

@colek42
Copy link

colek42 commented Oct 16, 2023

+1

1 similar comment
@kommendorkapten
Copy link

+1

@idunbarh
Copy link

+1 as a relative new comer to the project and I've been really impressed by the maintainers and community. Absolutely supportive of project graduation!

@alanssitis
Copy link

+1 ❤️

@06kellyjac
Copy link

+1

1 similar comment
@matglas
Copy link

matglas commented May 5, 2024

+1

@linsun linsun self-assigned this Jun 3, 2024
@linsun
Copy link
Contributor

linsun commented Jun 3, 2024

Hi @SantiagoTorres, I'll be reviewing your proposal soon! Excited to see so much support of in-toto here!

@kairoaraujo
Copy link

+1

@linsun
Copy link
Contributor

linsun commented Jun 25, 2024

Some update - met with @SantiagoTorres last week and walked him through the new process along with expected timeline. Raised a few issues with @SantiagoTorres and started working on putting DD doc together. From our discussion, @SantiagoTorres has already setup a review with TAG-security, see cncf/tag-security#1290.

I'm traveling for this and next 2 weeks unfortunately, will have limited bandwidth but will make progress whenever I can.

cc @TheFoxAtWork @nikhita FYI

@anvega
Copy link
Contributor

anvega commented Jul 18, 2024

TAG Security has conducted a thorough review of the in-toto project as part of its consideration for CNCF graduation. Based on our assessment, we find:

in-toto presents as a mature, well designed security project that has made significant strides toward graduation. Key points supporting this include:

  • in-toto's value and reliability in real world applications is exhibited by its wide adoption across companies and projects, including Datadog, Solarwinds's Trebuchet, GitHub NPM Package Provenance, OpenVEX, SLSA, Sigstore, Tekton and many more. This demonstrates its value and reliability in real world applications.
  • The project underwent a thorough security audit conducted by X41 D-sec, facilitated by OSTIF and funded by CNCF. This audit demonstrated: a) Scope: The audit covered both Python and Go implementations, reviewing all in-scope code. b) Methodology: Manual review was complemented by language-specific static code analyzers, ensuring a comprehensive approach. c) Findings: The audit identified 1 High, 4 Medium, and 3 Low severity vulnerabilities, indicating a thorough examination. d) Critical issue addressed: The most severe vulnerability, which could have compromised the entire security chain, was identified and addressed. e) Transparency: The full audit report is publicly available, demonstrating the project's commitment to openness. f) Proactive improvements: X41's team provided recommendations to enhance the overall security posture beyond just addressing vulnerabilities.
  • in-toto has achieved gold status on the OpenSSF Best Practices badge, indicating adherence to security recommended practices.
  • The project is very intentional about its design providing a flexible framework for securing software supply chains, allowing for various use cases and integrations. Its design enables detailed tracking and verification of software development processes.
  • in-toto has updated its governance structure, formed a technical steering committee with defined roles and duties, and conducted elections, demonstrating a commitment to sustainable community management.
  • The project has addressed concerns raised during the incubation review, including conducting a security audit, improving documentation, and enhancing governance.

Opportunities for further development:

  • As in-toto subprojects under the larger in-toto organization umbrella continue mature, there may be value in conducting security audits for these components, particularly for newly donated subprojects.
  • The project's role in important initiatives like SLSA could be further highlighted to demonstrate its impact on the broader security ecosystem.
  • Encouraging and supporting further integrations with other tools and platforms could enhance in-toto's value prop.

In conclusion, in-toto demonstrates the characteristics of a graduated level CNCF project, particularly in terms of security. Its wide adoption, successful response to security audits, and overall mature security posture make it a strong candidate for graduation. The project serves as an exemplar of security design in the ecosystem.

@linsun
Copy link
Contributor

linsun commented Jul 29, 2024

Thank you @anvega for the detailed note, glad the review went very well and in-toto continues to demonstrate the characteristics of a graduated level CNCF project.

Update: @SantiagoTorres is working on getting me interviewer lists and also answering some questions I had while preparing the DD doc.

@linsun
Copy link
Contributor

linsun commented Sep 3, 2024

Still working on @SantiagoTorres on the proposal doc, also have 1 interviewee scheduled this week!

@linsun
Copy link
Contributor

linsun commented Oct 1, 2024

Synched with @SantiagoTorres today, DD 80% done, a few todo items remaining but nothing blocking. Adopter 1 interview has been done and uploaded to CNCF TOC folder, and adopter 2 interview is being rescheduled.

@trishankatdatadog
Copy link
Contributor

Synched with @SantiagoTorres today, DD 80% done, a few todo items remaining but nothing blocking. Adopter 1 interview has been done and uploaded to CNCF TOC folder, and adopter 2 interview is being rescheduled.

Anything else the in-toto Steering Committee can help with here, please?

@jberkus
Copy link
Contributor

jberkus commented Oct 2, 2024

Someone needs to submit at Governance Review request for In-toto.

@trishankatdatadog
Copy link
Contributor

Someone needs to submit at Governance Review request for In-toto.

Got it. Where and how, please?

@TheFoxAtWork
Copy link
Contributor

https://github.com/cncf/tag-contributor-strategy/issues/new?template=governance-review-request.yaml

@linsun
Copy link
Contributor

linsun commented Oct 4, 2024

Thanks for the reminder @jberkus and @TheFoxAtWork for the link! @trishankatdatadog and @SantiagoTorres pls let us know when this is submitted, thanks!

@jberkus
Copy link
Contributor

jberkus commented Oct 16, 2024

Ping, we still don't have a gov review request.

@trishankatdatadog
Copy link
Contributor

Ping, we still don't have a gov review request.

Sorry for the delay --- was going to send today! Let me send it off in a bit...

@trishankatdatadog
Copy link
Contributor

Ping, we still don't have a gov review request.

Sorry for the delay --- was going to send today! Let me send it off in a bit...

Done! Please let us know if you need any other information there.

@linsun
Copy link
Contributor

linsun commented Oct 22, 2024

Still working on @SantiagoTorres on the proposal doc, waiting for a few final items from @SantiagoTorres! 2 adopter interviews are finished and working on getting the 3rd interviewee scheduled!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: In Due Diligence
Development

Successfully merging this pull request may close these issues.